On June 9, 2022, the Office of the Superintendent of Financial Institutions (OSFI) published its summary response to feedback received from stakeholders regarding draft Guideline B-13: Technology and Cyber Risk Management (Guideline B-13), that will apply to federally regulated financial institutions, as previously reported by the E-TIPS® Newsletter here

During a three-month consultation period, OSFI received feedback from interested stakeholders.  As a result of this feedback, OSFI implemented the following changes to the final Guideline B-13:

  1. Less Prescriptive – The final Guideline B-13 will include fewer prescriptive expectations/examples, with added emphasis on approaching B-13 from a risk-based perspective.
  1. Streamlined – The draft Guideline B-13 was organized into 5 different domains – Governance and Risk Management; Technology Operations; Cyber Security; Third-Party Provider Technology and Cyber Risk; and Technology Resilience.  The final Guideline B-13 will be organized into only 3 domains – Governance and Risk Management; Technology Operations and Resilience; and Cyber Security. 
  • This was achieved by moving the Third-Party Provider Technology and Cyber Risk domain to Guideline B-10, and by combining the Technology Operations and Technology Resilience domain into a streamlined and renamed Technology Operations and Resilience domain.
  1. Clear Definitions – Instead of having separate definitions for “technology risk” and “cyber risk” the final Guideline B-13 will only contain a single definition for “technology risk” that includes “cyber risk”.
  1. Clear expectations – the final Guideline B-13 will contain more clear and consolidated expectations.  It will remove confusing or duplicative expectations and examples.

OSFI states that the final Guideline B-13 will be published in the coming weeks. We will provide a summary of the final Guideline B-13 following its release.

Summary By: Olalekan (Wole) Akinremi


22 06 15

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.